Snipe-IT File Upload Vulnerability Leads to Remote Code Execution (CVE-2026-37709)

Snipe-IT, a web-based IT asset management system, is vulnerable to a critical file upload vulnerability (CVE-2026-37709) affecting versions up to 8.4.0. This vulnerability stems from insufficient permission checks in the app/Http/Controllers/Api/UploadedFilesController.php component. Specifically, the API endpoint /api/v1/{object_type}/{id}/files allows users with “view” permissions, rather than the necessary “write” permissions, to upload files. Successful exploitation of this vulnerability can lead to arbitrary code execution on the server. The vulnerability was patched after the 2026-03-10 commit 676a9958 and released in version 8.4.1. This poses a significant risk to organizations using vulnerable Snipe-IT instances, potentially allowing attackers to compromise the entire system.

Attack Chain

1. An attacker identifies a vulnerable Snipe-IT instance running a version prior to 8.4.1.
2. The attacker authenticates to the Snipe-IT instance with user credentials that have “view” permissions for assets, consumables, or other managed objects.
3. The attacker crafts a malicious HTTP POST request to the /api/v1/{object_type}/{id}/files endpoint, replacing {object_type} and {id} with valid values for an existing asset or consumable.
4. The POST request includes a file containing malicious code, such as a PHP webshell, disguised as a seemingly harmless file type (e.g., image).
5. The Snipe-IT application, due to insufficient permission checks, accepts the file upload and stores it on the server.
6. The attacker determines the full path to the uploaded file on the server.
7. The attacker crafts a new HTTP request to execute the uploaded file, triggering the malicious code.
8. The attacker achieves remote code execution on the Snipe-IT server, potentially gaining full control of the system and sensitive data.

Impact

Successful exploitation of CVE-2026-37709 can lead to complete compromise of the Snipe-IT server. An attacker can gain unauthorized access to sensitive asset information, modify inventory data, and potentially pivot to other systems within the network. Given the critical nature of asset management systems, this vulnerability poses a severe risk to organizations of all sizes and across various sectors. The attacker could potentially steal intellectual property, disrupt operations, or launch further attacks from the compromised server.

Recommendation

• Upgrade Snipe-IT installations to version 8.4.1 or later to remediate CVE-2026-37709, as this version contains the necessary permission checks in the app/Http/Controllers/Api/UploadedFilesController.php component.
• Deploy the Sigma rule “Detect CVE-2026-37709 Exploitation — SnipeIT Malicious File Upload” to detect suspicious POST requests to the /api/v1/{object_type}/{id}/files endpoint.
• Monitor web server logs for HTTP POST requests to the /api/v1/{object_type}/{id}/files endpoint with filenames that contain suspicious extensions or patterns to identify potential exploitation attempts.